Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
rduggal_FTNT
Staff
Staff

Created on ‎10-10-2023 08:14 AM Edited on ‎10-10-2023 08:18 AM By Moderator

Article Id 278263

Technical Tip: Splitting FortiEDR Central Manager and FortiEDR Aggregator

Description

This article describes how to split FortiEDR Central Manager and Aggregator running on the same server to dedicated Servers to address scalability issues.
Scope Specific to FortiEDR Central Manager and Aggregator when running on the same Server.
Solution

This method is useful when FortiEDR Central Manager and Aggregator are hosted on-premise and running on the same Server.

 

Note: In this Knowledge-based article, it will be used Visual Editor to edit files (vi), however, it is possible to use any desired editor.

 

  1. SSH to Server running FortiEDR Manager and Aggregator.
  2. Login using root credentials.
  3. Execute commands 'fortiedr status' and 'fortiedr manager status' to determine the status. Output should be like below:

rduggal_FTNT_0-1696949438916.png

 

rduggal_FTNT_1-1696949438917.png

 

  1. Disable the FortiEDR aggregator role by executing the command 'fortiedr aggregator disable':

rduggal_FTNT_2-1696949438918.png

 

  1. Edit the below file to change the machine role:

 

vi /opt/FortiEDR/webapp/application-customer.properties

 

change machine.role=both    --> It will show machine.role as both, it is necessary to change this to manager as below:

rduggal_FTNT_3-1696949438918.png

 

change machine.role=manager      --> Save and exit the file.

 

rduggal_FTNT_4-1696949438919.png

 

  1. Edit the below file to change the machine role:

vi /opt/FortiEDR/platform/conf/platform.conf

 

change role=both    --> It will display role as both, it is necessary to change this to manager as below:

rduggal_FTNT_5-1696949438920.png

 

change role=manager                --> Save and exit the file.

                                   

rduggal_FTNT_6-1696949438921.png

 

  1. Stop the nginx Service using the command 'systemctl stop nginx' and verify the status using the command 'systemctl status nginx'.

 

rduggal_FTNT_7-1696949438925.png

 

  1. Change the IP address of the Manager. It will be used an existing IP on the new aggregator to prevent any registration issues with existing registered collectors.
  • Type 'ifconfig' and record the interface name.

 

rduggal_FTNT_8-1696949438927.png

 

  • Edit the interface using the command 'vi /etc/sysconfig/network-scripts/ifcfg-ens33' and change the IP, save, and exit'

rduggal_FTNT_9-1696949438927.png

 

rduggal_FTNT_10-1696949438928.png

 

  • Toggle interface for the new IP to take effect using the command 'ifdown ens33 && ens33'.
  1. Shut down the Manager's VM.
  2. Set up a new VM as FortiEDR aggregator and assign the same IP as it was assigned to the VM which was running as both FortiEDR Manager and Aggregator (As per the above example this shall be 192.168.70.244/24). Refer to the below link to setup a new VM as a FortiEDR aggregator.

Setting up a VM to be the FortiEDR Aggregator

 

  1. Power on Manager VM and check 'fortiedr status'. Output should be like below:

 

rduggal_FTNT_11-1696949438928.png

 

  1. Test from new aggregator 'curl -v telnet://manager:443'.

 

If there are still any issues during the installation, open a new technical support ticket for further assistance:

Support Fortinet
511
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.